by andrew jackson
The much-anticipated GDPR comes into effect in May of this year, so data security and information governance has been high on all businesses’ agendas for some time, in preparation.
Data security measures can present complications to businesses that are rolling out a digital workplace, however. How do you grant more flexibility, for example, and remote access to staff while ensuring that your network and sensitive data remains secure?
I am passionate about the positive impact technology can have on businesses and people’s lives, so I spoke to four CIOs from private, public and third sectors, to hear their challenges and candid experiences. These interviews make up part of our latest research paper, The Technology Trinity, providing genuine digital transformation insights from IT leaders, across three very different industries.
Managed services protect private sector
The Information Commissioner’s Office reported the number of data breaches in the legal sector increased by almost a third between 2015 and 2016.
Data held by law firms is highly sensitive, but legacy architecture and unstructured data make them particularly vulnerable to attack. But there are rising levels of digital working practices in the legal sector, requiring sharper focus on cyber security and data governance.
Mabel Evans, IT Director of Fieldfisher legal firm explains in the report that having a managed service took the pressure off her firm when it came to securing the company’s data.
“Six years ago, we signed up to IaaS, so we don’t hold any of our data in any of our offices. It’s all locked down and held in a secure data centre as another managed service.”
Evans also described how Fieldfisher deployed rigorous monitoring tools and systems in place to identify any red flags or abnormal behaviour. But in the legal profession, companies are less likely to have a BYOD strategy; often lawyers are happy to use their work devices for remote working.
Ultimately, however, security is only as strong as your workforce. Even after removing your sensitive data offsite, ensuring strong file encryption, rigorous monitoring and red flags identification, you can only go so far. You need to educate your workforce on the importance of data protection.
“Now there is more activity undertaken electronically, we provide many tools including secure file sharing and equally educate them on why they can’t save their files on dropbox or in their personal email accounts.”
Encrypting personal data in public sector
Mark Thomas, Director of Health Informatics for Northumbria Healthcare NHS Foundation Trust
Thanks to the incredibly sensitive nature of the data it holds, the need for robust and impenetrable online security is critical in the healthcare industry.
In May 2017, however, NHS England fell victim to a vast global cyber attack; the WannaCry virus. The ransomware attack encrypted hundreds of sensitive files, hitting 48 NHS England trusts — one in five across the country.
Mark Thomas, Director of Health Informatics at NHS Northumbria Healthcare, explained to me in the report how the healthcare industry historically saw data protection as a barrier to providing necessary care, but now, thanks to preparations for GDPR and the recent WannaCry attack, attitudes are shifting.
“It’s a balance. On the one hand we need to be prepared for the GDPR by encrypting and protecting personal data; yet we also need to make sure that the correct information is available — and easy to use — at the point of care. Data protection was always seen as a blocker, whereas now it’s an enabler; it’s just about making sure information is shared appropriately.
We asked Thomas how it’s possible to balance this within the healthcare industry, when there are more personal devices connecting the core NHS network. He explained that the key is access rights and layers of protection, safeguarding the core information and most valuable data.
“You’re not protecting your network at a device level. You’re ensuring security on a user level, regardless of the device or the location of the user.”
Currently, patients agree or deny a practitioner access to their full medical history, for data protection. But, what happens in an emergency? What if sensitive data needs to be shared without consent, to ensure a life is saved?
“We have a process called ‘break glass’; the clinician has the capability to make a high-level decision, if it’s a life threatening situation. He or she confirms they are taking the decision to access the patient’s information without permission.”
Raising staff awareness in public sector
Dr. Graham Evans, Chief Information and Technology Officer for North Tees and Hartlepool NHS Foundation Trust & South Tees Hospitals NHS Foundation Trust
For Dr. Evans, building in security as part of both the technical architecture and workforce training was essential for NHS England. A shortfall in staff knowledge, unfortunately, gave the WannaCry attack ability to spread.
“You’ll never get ahead of the threats, so you need to keep your people vigilant. Training, awareness and education are essential. Equally, invest wisely in technology, services and systems, and malware protection.”
Trend analysis using big data can also provide critical insight on changes to network access and staff behaviour, and provide essential time to react in advance.
But what was his final piece of advice in the report? Plan to fail.
“When the inevitable does happen, what is your plan for business continuity? People always look to IT when there’s an outage, but there’s a clue in the words ‘business continuity’. You need to know how to run the business when you’ve got little or no IT.”
Securing third sector users, not devices
Martyn Croft, Former Chief Information Officer of the Salvation Army
There’s a considerable lack of digital maturity in the third sector; the sector as a whole is lagging five years or more behind the private sector. Yet technology continues to evolve at a faster pace. Information security in particular is an area of weakness for third sector organisations. A report by the department for Digital, Culture, Media and Sport (DCMS) highlighted a need for basic cyber-security awareness among charity staff and trustees.
The two primary reasons for this lag are workplace culture and aversion to risk. Yet the sector is perhaps the most at risk to online security threats; third sector IT systems
are usually older than private and public sectors’ and more vulnerable, running legacy software and unsupported operating systems.
I asked Martyn Croft in the Technology Trinity report how the Salvation Army managed security as part of a digitally enhanced workplace:
“My strategy was to have a firewall-centric infrastructure. It’s very important to provide a solid basis for routing your traffic to where you want it to go.”
Croft discussed the complications of securing an increasingly mobile workforce, but he explained that adapting and securing the network and users, not his business devices,
is the more manageable approach.
“Providing BYO segments of the network means we can control who has access to the precious data. With this approach, users only view their desktop through a window. Then you’ve kept the two things separate.”
Overall, providing secure access to unauthenticated users and devices is the goal for Croft. With such a level of security, charities can provide essential access to those who most need it, the homeless or those out of work for instance, to give them a helping hand.
So, with latest data protection EU reform on the horizon, robust information governance processes are absolutely critical across all sectors. While it’s essential to ensure devices and networks are encrypted end-to-end, speaking to our CIOs highlighted that educating your workforce is absolutely key to improved business security.